Kumar, S., and Spafford, E. H. An Application of Pattern Matching in Intrusion Detection. Tech. Rep. CSD--TR--94--013, Department of Comptuter Sciences, Purdue University, West Lafayette, IN, June 1994.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....from a set of labeled training examples. RIPPER is also used for anomaly detection to predict system calls, where the classification of each training example corresponds to the last call of the sequence [8] The same concept of prediction of sequence calls can be implemented using neural networks [7]. The main advantages of such an approach are the lack of dependence on any statistical assumption, noise tolerance, and abstraction. A comparison of the accuracy of different algorithms for system call analysis can be found in [11] 3. NEURAL NETWORKS 3.1 Back Propagation Back propagation ....

S. Kumar and E. Spafford, "An Application of Pattern Matching in Intrusion Detection," Technical Report 94-013, Department of Computer Sciences, Purdue University, March 1994.

....languages. Detection languages are designed to detect certain events, usually from network streams, that identify an attack. These include N code used in Network Flight Recorder [55] P BEST used in SRI s EMERALD [36] RUSSEL used in ASAX [20] SNP L [68] GASSATA [43] the language used in IDIOT [9, 34, 33], the language used in Bro [51] the language used in Snort [56, 62] parallel environment grammars [32] JIGSAW [67] REE [59, 60] and ASL [58] Correlation languages describe the relations among separate events, possibly detected by a detection language, and attempt to reason abstract ....

S. Kumar and E. H. Spafford. An Application of Pattern Matching in Intrusion Detection. Technical Report CSD-TR-94-013, The COAST Project, Dept. of Computer Sciences, Purdue University, West Lafayette, IN, USA, June 1994.

....for intrusion detection in order for the IDS to achieve maximal performance. Since most of the intrusions can be uncovered by examining patterns of user activities, many intrusion detection systems have been built by utilizing the recognized attack and misuse patterns to develop learning machines [1,2,3,4,5,6,7,8,9]. In our earlier work, support vector machines (SVMs) are found to be superior to neural networks in many important respects of intrusion detection [10,11,12] so we will illustrate feature ranking use SVMs. The data we used in our experiments originated from MIT s Lincoln Lab. It was developed ....

Kumar S, Spafford EH (1994) An Application of Pattern Matching in Intrusion Detection. Technical Report CSD-TR-94-013. Purdue University.

....soft computing techniques and also their ensemble for building models based on experimental data. Since most of the intrusions can be uncovered by examining pattems of user activities, many IDSs have been built by utilizing the recognized attack and misuse pattems to develop learning machines [3,4,5,6,7,8,9]. In our recent work, SVMs are found to be superior to ANNs in many important respects of intrusion detection [9] In this paper we will concentrate on using the ensemble of support vector machines and neural networks with different training functions to achieve better classification accuracies. ....

Kumar S., Spafiord E. H. (1994) "An Application of Pattern Matching in Intrusion Detection," Technical Report CSD-TR-94-013. Purdue University.

....user activities and audit records [1] many IDSs have been built by utilizing the recognized attack and misuse patterns. IDSs are classified, based on their functionality, as misuse detectors and anomaly detectors. Misuse detection systems use well known attack patterns as the basis for detection [1,2]. Anomaly detection systems use user profiles as the basis for detection; any deviation from the normal user behavior is considered an intrusion [ 1,2,3,4] One of the main problems with IDSs is the overhead, which can become unacceptably high. To analyze system logs, the operating system must ....

....their functionality, as misuse detectors and anomaly detectors. Misuse detection systems use well known attack patterns as the basis for detection [1,2] Anomaly detection systems use user profiles as the basis for detection; any deviation from the normal user behavior is considered an intrusion [ 1,2,3,4]. One of the main problems with IDSs is the overhead, which can become unacceptably high. To analyze system logs, the operating system must keep information regarding all the actions performed, which invariably results in huge amounts of data, requiring disk space and CPU resource. Next, the logs ....

Kumar S., Spafiord E. H. (1994) "An Application of Pattern Matching in Intrusion Detection," Technical Report CSD-TR-94-013. Purdue University.

....which is itself a problem of great interest in building models based on experimental data. Since most of the intrusions can be uncovered by examining patterns of user activities, many IDSs have been built by utilizing the recognized attack and misuse patterns to develop learning machines [3,4,5,6,7,8,9,10,11]. In our recent work, SVMs are found to be superior to ANNs in many important respects of intrusion detection [12,13,14] we will concentrate on SVMs and briefly summarize the results of ANNs. The data we used in our experiments originated from MIT s Lincoln Lab. It was developed for intrusion ....

Kumar S., Spafford E. H. (1994) "An Application of Pattern Matching in Intrusion Detection," Technical Report CSD-TR-94-013. Purdue University.

....and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Defense Advanced Research Projects Agency, Rome Laboratory or the U.S. Government. Intrusion Detection 2 02 09 00 that essentially catalog different systems [Anderson80, Cannaday96, Liepens92, Lunt93b, Kumar94, Smaha94]. In this survey we attempt to determine the fundamental approaches and describe the essence of each approach. To be concrete, we use existing implementations to illustrate the mechanics of implementation of each approach. Intrusion detection involves determining that some entity, an intruder, has ....

Kumar, S. and E. Spafford. "An Application of Pattern Matching in Intrusion Detection." Purdue Technical Report CSD-TR-94-013, June 1994.

....classi ers. Finally, we note that that security incidents can take place at a wide range of time scales. We can roughly distinguish two classes of time scales: short term attacks (consisting of a few tens of tokens at most) which are traditionally addressed via signature matching detectors [15, 13, 14, 16] and longer term attacks which are often approached with statistical or learning techniques (as in this work) Documented events in the latter class have occurred at such high pro le sites as the University of California at Berkeley, Mitre Corp. 17] the Air Force s Rome Labs, Harvard University, ....

....of known attacks, generated by hand from the experience of human operators. This is both labor intensive and su ers from inability to detect previously unknown attack patterns. Nonetheless, some extant systems rely primarily on such rule bases for anomaly detection. Purdue s IDIOT system [15, 75] uses colored petri net models as attack patterns, while the GrIDS [77, 78] system employs subgraph matching rules to examine network interconnection graphs. Such models are expressive and powerful, but, to date, the attack pattern models must still be generated by hand. Signature based detectors ....

[Article contains additional citation context not shown here]

S. Kumar and E. Spaord. An application of pattern matching in intrusion detection. Technical Report CSD-TR-94-013, Purdue University, West Lafayette, Indiana, Jun 1994.

....does not try to be a full featured Intrusion Detection System (IDS) although SAINT reports can be used to detect intrusions. IDS technology is by now far ahead of SAINT s design. Advancedwork on this topic is being done, among others, by Crosbie and Spafford [CS95a, CS95b] Kumar and Spafford [KS94c, KS95] and Kumar [Kum95] SAINT is intended just as an information analysis tool. This point made, let s proceed with SAINT s design description. 5 What does SAINT do SAINT s operation can be divided in four big phases: 1. Data collection and homogenization. 2. Event sorting. 3. Event ....

Sandeep Kumar and Eugene H. Spafford. An application of pattern matching in intrusion detection. Technical Report CSD-TR-94-013, COAST Laboratory, Department of Computer Sciences, Purdue University, West Lafayette, IN 47907-1398, June 1994. Available at http:// www.cs.purdue.edu/homes/spaf/tech-reps/9413.ps.

....of known attacks, generated by hand from the experience of human operators. This is both labor intensive and suffers from inability to detect previously unknown attack patterns. Nonetheless, some extant systems rely primarily on such rule bases for anomaly detection. Purdue s IDIOT system [29, 28] uses colored petri net models as attack patterns, while the GrIDS [65, 14] system employs subgraph matching rules to examine network interconnection graphs. Such models are quite expressive and powerful, but, to date, the attack pattern models must still be generated by hand. Signature based ....

S. Kumar and E. Spafford. An application of pattern matching in intrusion detection. Technical Report CSD-TR-94-013, Purdue University, West Lafayette, Indiana, Jun 1994.

....intruder who breaches the system during their learning phase. A savvy intruder can gradually train the anomaly detector to interpret intrusive events as normal system behavior. Misuse detection seeks to discover intrusions by precisely defining them ahead of time and watching for their occurrence [13]. For example, many well known attacks can be discovered by searching for distinguishing patterns or events in the audit trails. The main shortcoming of misuse detection is that future attacks cannot be predicted or detected without hard coding them into the IDS attack database. 1.2 The Solaris ....

Sandeep Kumar and Eugene Spafford. "An Application of Pattern Matching in Intrusion Detection. " Technical Report. June 17, 1994.

....the implementation and evaluation of IDA, and Section 4 outlines our conclusions and indicates the direction of our future work. 2 Intrusion Detection System IDA 2. 1 Analysis of Intrusion Patterns The methodology by which intrusions are detected can be divided into two categories, as follows[3]: ffl Anomaly Intrusion Detection ffl Misuse Intrusion Detection An anomaly intrusion detection system records users activities on systems and builds statistical profiles of the activities from these records. It regards activities that differ remarkably from normal use as intrusions. Misuse ....

S. Kumar and E. Spafford, "An Application of Pattern Matching in Intrusion Detection," Technical Report 94-013, Purdue University, Department of Computer Science, 1994.

....COAST Laboratory. This section will remain short because a much better description of what IDIOT is, the design goals and the model it works under can be found in the documents included in the doc IDIOT directory in the IDIOT distribution. The files in that directory are: kumar spaf overview.ps [KS94] This report examines and classifies the characteristics of signatures used in misuse intrusion detection. The document describes a generalized model for matching intrusion signatures based on Colored Petri Nets. This is the first document you should read. We recommend that you stop reading this ....

Sandeep Kumar and Eugene Spafford. An application of pattern matching in intrusion detection. Technical report, Purdue University, 1994.

No context found.

Kumar, S., and Spafford, E. H. An Application of Pattern Matching in Intrusion Detection. Tech. Rep. CSD--TR--94--013, Department of Comptuter Sciences, Purdue University, West Lafayette, IN, June 1994.

No context found.

Kumar, S and Spa#ord, E.H. An Application of Pattern Matching in Intrusion Detection. Technical Report CSD-TR-94-013, Purdue University, 1994.

No context found.

S. Kumar and E. H. Spafford. An Application of Pattern Matching in Intrusion Detection. Technical Report CSD-TR-94-013, Purdue University, 1994.

No context found.

Kumar S., Spafford E. H. (1994) "An Application of Pattern Matching in Intrusion Detection," Technical Report CSD-TR-94-013. Purdue University

No context found.

Kumar S., Spafford E. H., 1994. An Application of Pattern Matching in Intrusion Detection. Technical Report CSD-TR-94-013, Purdue University.

No context found.

S. Kumar and E. H. Spafford. "An Application of Pattern Matching in Intrusion Detection". Technical Report CSD-TR-94-013, Purdue University, 1994.

No context found.

Kumar S., Spafford E. H. (1994) "An Application of Pattern Matching in Intrusion Detection," Technical Report CSD-TR-94-013. Purdue University.

No context found.

S. Kumar and E. Spafford. An Application of Pattern Matching in Intrusion Detection. Purdue Technical Report CSD-TR-94-013, June 1994.

No context found.

Sandeep Kumar and Eugene H. Spafford. An Application of Pattern Matching in Intrusion Detection. Technical Report CSD-TR-94-013, Department of Computer Science, Purdue University, March 1994.

No context found.

S. Kumar and E. H. Spafford. An application of pattern matching in intrusion detection. Purdue University Technical Report CSD-TR-94-013, 1994.

No context found.

Kumar, S. and Spaord, E. H. (1994b). An Application of Pattern Matching in Intrusion Detection. Technical Report CSDTR -94-013, Purdue University.

No context found.

Sandeep Kumar and Eugene H. Spaord. An application of pattern matching in intrusion detection. Technical Report CSD-TR-94-013, The COAST Project, Dept. of Computer Sciences, Purdue University, West Lafayette, IN, USA, June 17 1994.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC